Informatique, Mathématiques et Automatique pour la Route Automatisée

Institut National de Recherche en Informatique et Automatique

Table of Contents

Hacking the Cubes

Serial connection to the cube

Laurent has a serial cable that can be used with the Cubes. connect a computer to the Cube (the serial connector is just on top of the power plug). The terminal emulator should be configured for 115200,n,8,1 communications without parity check. When booting, the bootloader (YAMON) will display its welcome message. 

YAMON ROM Monitor, Revision 02.17mtx1.
Copyright (c) 1999-2000 MIPS Technologies, Inc. - All Rights Reserved.

For a list of available commands, type 'help'.

Compilation time =            May 19 2005  14:21:19
MAC address =                 00.0e.56.00.63.16
Processor Company ID =        0x03
Processor ID/revision =       0x02 / 0x02
Endianness =                  Little
CPU =                         396 MHz
Flash memory size =           32 MByte
SDRAM size =                  64 MByte
First free SDRAM address =    0x8008c8f4

MTX-1 Watchdog support

Environment variable 'start' exists. After 4.0 seconds
it will be interpreted as a YAMON command and executed.
Press Ctrl-C to bypass this.
General Purpuse Button is Released

If Ctrl-C is hit timely, YAMON will drop to an interactive console where, for example, the environment can be inspected. 

YAMON> set

MAC         (R/W)  0
bootfile    (R/W)
bootprot    (R/W)  tftp
bootserport (R/W)  tty0
bootserver  (R/W)  192.168.226.1
cubeID      (USER) 1784
ethaddr     (R/W)  00.0e.56.00.63.16
gateway     (R/W)  192.168.226.1
ipaddr      (R/W)  192.168.226.2
memsize     (RO)   0x04000000
modetty0    (RO)   115200,n,8,1,none
modetty1    (RO)   115200,n,8,1,none
prompt      (R/W)  YAMON
serial      (USER) 051291209
start       (R/W)  go 0xbfd00000 root=/dev/mtdblock/0
subnetmask  (R/W)  255.255.255.0

A quick example of an environment redefinition after an erase -e, assuming the TFTP server is vision.inria.fr, and the Cube has ID 1784 (imara-cube-1784.inria.fr). 

YAMON> set bootprot tftp
YAMON> set bootserver 128.93.7.99
YAMON> set ethaddr 00.0e.56.00.63.16
YAMON> set gateway 128.93.1.100
YAMON> set ipaddr 128.93.7.156
YAMON> set subnetmask 255.255.192.0

Installing images via TFTP

A TFTP server should first be setup on a machine (see this other page for some hints), preferably on the same ethernet segment as the Cube to hack is. All the necessary images (kernels, filsystems, combined images,…) in /tftpboot (or wherever the TFTP daemon looks for them), and given the appropriate reading rights.

Once the Cube is powered, on should go to the YAMON console. The ethaddr and ipaddr may need to be modified to valid values. 

YAMON> set ethaddr 00.0e.56.00.63.16
YAMON> set ipaddr 128.93.7.11

Before downloading and writing a new image, the flash should be erased. Depending on what image will be reflashed, the addresses and ranges (resp. 0xbfd00000/0x140000 for a 2.6 kernel or 0xbfd00000/0xf0000 for an original 2.4 kernel from 4G) should be specified, or -s (for a filesystem image). When installing a combined image, both regions must be erased first. 

YAMON> erase ADDRESS RANGE
what...
The following area will be erased:
Start address = ADDRESS
Size          = RANGE
Confirm ? (y/n) y
Erasing...Done

The “Start address” and “Size” as reported by YAMON before starting the erase process my be different from what has been entered, this is because they have been rounded off to match the memory's boundaries.

The image can finally be retrieved from the TFTP server. 

YAMON>load tftp://TFTP_IP_ADDR/IMAGE.srec         
About to load tftp://TFTP_IP_ADDR/IMAGE.srec
Press Ctrl-C to break
................[...]...................

Start = ADDRESS, range = (ADDRESS,ADDRESS+IMAGE_SIZE), format = SREC

If the bootprot and bootserver environment variables have been set, it is possible to load an image more easily. The bootfile can also be specified. 

YAMON> bootprot tftp
YAMON> bootserver TFTP_IP_ADDR
YAMON> load /IMAGE.srec
About to load tftp://TFTP_IP_ADDR/IMAGE.srec
Press Ctrl-C to break
................[...]...................

Once written (be it to RAM or to flash), the image can be started, with optional arguments (e.g. as specified in the $start environment variable). 

YAMON> go ADDRESS

Complete example: Reflashing the original combined image

A full featured example using the YAMON console. 

YAMON> erase 0xbfd00000 0xf0000 
what...
The following area will be erased:
Start address = 0x1fd00000
Size          = 0x00100000
Confirm ? (y/n) y
Erasing...Done
YAMON> 
YAMON> erase -s                
Erasing...system...
Done

YAMON> load /combined.srec
About to load tftp://128.93.7.99/combined.srec
Press Ctrl-C to break
................[...]...................
YAMON> set start "go 0xbfd00000 root=/dev/mtdblock/0"
YAMON> $start
loaded at:     BFD00000 BFDE7000
relocated to:  81000000 810E7000
zimage at:     810063D0 810E6669
Uncompressing Linux at load address 80100000
Now booting the kernel
[...]

Note: on some (most?) of the Cubes, the system may reset itself after an erase -s. It is unsure whether this behavior is desired or not, nor whether the flash space is correctly cleaned up. If the subsequent flashing of the image fails, it is very possible that this is due to the flash not having been completely cleaned up.

The simplest way to do so, though, would be to use a modified install-image script (originally from meshcube.org) using imara-serv.inria.fr's mirror to reinstall the initial system.

, , , ,
 
imara/platforms/hardware/communications/4gcube/hack.txt · Last modified: 2011/02/05 15:45 by Paulo RESENDE
Recent changes · Show pagesource · Login
Driven by DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS
Copyright © LaRA